0 Document Control 0.1 Versioning Name Date Reason Version 1 February 1, 2016 Placed into production 0.2 Applicable Parties This document is strictly confidential and should only be distributed or viewed by the following parties: • HAL Designated Associates • HAL Regional Employees (Compartmented to the Division) • HAL Management Team • HAL Auditing Team 0.3 Review Period This document is subject to review by the Information Security Policy Committee (ISPC) at a minimum interval of quarterly (every 3 months) at a maximum interval of bi-annually (every 6 months). 0.3.1 Previous Reviews Committee Review Date Approval Date ISPC 7/15/2015 8/1/2015 CEO 1/21/2016 1/22/2016 Corporate CIO 1/23/2016 1/23/2016 1 Purpose This policy establishes information security requirements for all networks and equipment deployed in HAL located on the internal network. Adherence to these requirements will minimize the potential risk to HAL from the damage to public image caused by unauthorized use of HAL resources, and the loss of sensitive/company confidential data and intellectual property. 2 Scope 2.1 Applicability This policy applies to all HAL employees and affiliates at all HAL facilities and locations world-wide. 2.2 Ownership This policy is under the direct control of the HAL Corporate CEO with input from all Executive Level Leadership and other members of management with an interest in the program. 3 Policy 3.1 General Guidelines All new equipment must accompany a business justification with sign-off at the business unit Vice President level. InfoSec must keep the business justifications on file. Departments are responsible for assigning managers, point of contact (POC), and back up POC, for each department and must maintain up to date POC information with InfoSec [and the corporate enterprise management system, if one exists]. Managers or their backup must be available around-the-clock for emergencies. Changes to the connectivity and/or purpose of existing network equipment and establishment of new equipment connectivity must be requested through a HAL Network Support Organization and approved by InfoSec. A Network Support Organization must maintain a firewall device between the production environment and the DMZ. The Network Support Organization and InfoSec reserve the right to interrupt device connections if a security concern exists. The IS/IT/InfoSec staff will provide and maintain network devices deployed in the network up to the Network Support Organization point of demarcation. The IS/IT/InfoSec staff must record all equipment address spaces and current contact information [in the corporate enterprise management system, if one exists]. The Department Managers are ultimately responsible for their organizations complying with this policy. Immediate access to equipment and system logs must be granted to members of InfoSec and the Network Support Organization upon request, in accordance with the Audit Policy Individual accounts must be disabled within three (3) days when access is no longer authorized. Group account passwords must comply with the Password Policy and must be changed within three (3) days from a change in the group membership. InfoSec will address non-compliance waiver requests on a case-by-case basis. 3.2 General Configuration Requirements Production resources must not depend upon resources outside of the corporate network. HAL's corporate internal networks may not be accessed, either directly or via a wireless connection, by resources or devices outside of the production environment. Network equipment should be in a physically separate room from any DMZ connected devices. If this is not possible, the equipment must be in a locked rack with limited access. In addition, the Department Manager must maintain a list of who has access to the equipment. Department Managers are responsible for complying with the following related policies: • HAL Policy ISSP for Password Policy • HAL Policy ISSP for Wireless Communications Policy • HAL Policy ISSP for Malware Control The Network Support Organization maintained firewall devices must be configured in accordance with least-access principles and the department business needs. All firewall filters will be maintained by InfoSec. The firewall device must be the only access point between the DMZ and the rest of HAL's networks and/or the Internet. Any form of cross-connection which bypasses the firewall device is strictly prohibited. Original firewall configurations and any changes thereto must be reviewed and approved by InfoSec (including both general configurations and rule sets). InfoSec may require additional security measures as needed. Access to resources on HAL's network will be granted based on Extended Access Control Lists(Extended ACLs) which will utilize a most restrictive logic combining source & destination IP addressing, and protocol level filtering. InfoSec staff will be responsible to configuring and updating Extended ACLs on HAL's internal firewall equipment connected to production level resources. All routers and switches not used for testing and/or training must conform to the Network Router and Switch standardization documents. Current applicable security patches/hot-fixes for any applications must be applied. Administrative owner groups must have processes in place too stay current on appropriate patches/hotfixes. All applicable security patches/hot-fixes recommended by the vendor must be installed. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes. Services and applications not serving business requirements must be disabled. HAL Confidential information is prohibited on equipment where non-HAL personnel have physical access (e.g., training labs), in accordance with the Information Sensitivity Classification Policy Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks. 4 Enforcement Any employee found to be in violation this policy may be subject to disciplinary action, up to and including termination of employment. NOTE: As part of the SECCDC event, infractions of the rules regarding this policy may result in a point penalty.